64 Complaints Received On UK Cookie Law

judgecorp writes "Privacy watchdog, the Information Commissioner's Office, has already received 64 complaints under the UK's Cookie Law, which requires sites to get permission to track users with cookies. The law only came into effect on Saturday, and many sites do not expect to comply soon. To make life more complicated, the ICO has updated its advice, apparently allowing 'implied consent' instead of actually making a user click a box to give permission for cookies."

Re:Stupid and impossible law

[Zocalo]

This isn't about banning cookies, it's about banning user tracking without consent - which includes far more than cookies; browser fingerprints being the main candidate, so the correct intent is there. For a start, it's perfectly OK within the law to set a cookie that tells the site to not track that user, which I suspect will form the bulk of the (incorrect) complaints received by the ICO, but you can't use that cookie to track the user across your site, or any affiliate sites.

The problem with this legislation isn't the intent, it's the complete lack of clarity coming from the ICO who are responsible for its adminstration and enforcement. The law essentially boils down to "do not track your users without their consent", which the ICO has then muddied the waters over by making some vague remarks about implied consent being OK without explaining exactly what they mean. There is a great deal of confusion over whether the request to opt-in/out needs to be overt (i.e. a click-through or banner), whether or not you can set a "do not track" cookie (you can), and so on.

It's not being helped by some totally lame implementations of the consent request, most probably due to lack of clarity from the ICO about what can and can't be done, in the cases of users with cookies and/or JavaScript disabled for a site. A frequent occurance in this case seems to be that such users either have to go through the consent request every visit or have a consent banner permanantly displayed on the screen. Both these problems could (and I'll emphasis that "could") go away quite simply if the ICO were to state that:

1. If using a script to prompt for consent and if that script is blocked then default to "do not track"
2. It's OK to try and set a cookie, read it back and if that fails assume cookies are blocked by the user and implied consent = "do not track", otherwise prompt the user for consent and act accordingly.

But all that assumes that the websites are going to act in the best interests of their users over the best interests of their bottom line; in many cases sites will be dependant on the revenue they can raise from their users, and a tracked user is going to be better targetted with ads, and thus more likely to click through, than one that is not. The more inconvenient it is for users to opt out of tracking, the more likely we are going to see those sites taking that track. Kudos on that front to the BBC who have a well thought out and graded set of cookie policies [bbc.co.uk] you can opt into ranging from "necessary", through "functionality" and "performance", to "behavioural advertising".